Business recommendation:
------------------------
An attacker without an account on the NetIQ Access Manager is be able to gain
administrative access by combining different attack vectors. Though this host
may not always be accessible from a public network, an attacker is still able
to compromise the system when directly targeting administrative users.

Because the NetIQ Access Manager is used for authentication, an attacker
compromising the system can use it to gain access to other systems.

SEC Consult highly recommends that this software is not used until a full
security review has been performed and all issues have been resolved.

4) Cross Site Request Forgery
As an example, an attacker is able to change the administration password to
'12345' by issuing a GET request in the context of an authenticated
administrator. The old password is not necessary for this attack!

The static string "k~jd)*L2;93=Gjs" is XORed with these values in order
to decrypt passwords of internally used service accounts.

By combining all of the above vulnerabilities (CSRF, XSS, XXE) an
unauthenticated, non-admin user may gain full access to the system!

Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the NetIQ Access Manager
version 4.0 SP1, which was the most recent version at the time of discovery.

Vendor contact timeline:
------------------------
2014-10-29: Contacting [email protected], sending responsible disclosure
policy and PGP keys
2014-10-29: Vendor redirects to [email protected], providing PGP keys
through Novell support page
2014-10-30: Sending encrypted security advisory to Novell
2014-10-30: Novell acknowledges the receipt of the advisory
2014-12-16: Novell: the vulnerability fixes will be released tomorrow;
The CSRF vulnerability will not be fixed immediately
("Since this can be done only after an authorized login");
two XSS vulnerabilities can not be exploited ("We could not
take advantage or retrieve any cookie info on the server
side - it looks like it's a client side cross scripting
attack.")
2014-12-16: Explaining why those vulnerabilities can be exploited
2014-12-17: Novell: Fix will be released tomorrow
2014-12-17: Verifying release of advisory tomorrow
2014-12-18: Novell: Advisory can be released
2014-12-18: Coordinated release of security advisory

Solution:
---------
Update to the latest available of Access Manager and implement workarounds
mentioned in the KB articles by Novell linked above.

Workaround:
-----------
For some vulnerabilities, Novell provides best practice recommendations in the
URLs linked above.